Q. What's the DNS _msdcs zone for the forest root domain used for?

A. Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP). Other non-Microsoft services can be advertised in the DNS, including--but not restricted to--non-Microsoft implementations of LDAP and GC. However, sometimes clients might need to contact a Microsoft-hosted service. For that reason, each domain in DNS has an _msdcs subdomain that hosts only DNS SRV records that are registered by Microsoft-based services. The Netlogon process dynamically creates these records on each domain controller (DC). The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers.

If you install a new forest on a system that runs Windows Server 2003 and let the Dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called _msdcs.<forest name> on the DNS server. This zone is configured to store its records in a forestwide application directory partition, ForestDNSZones, which is replicated to every DC in the forest that runs the DNS service. This replication makes the zone highly available anywhere in the forest.